Over time, many homes and organizations have moved toward wireless networks. One of the reasons, why people are switching to wireless networks is, to overcome physical limitations. From a hacker’s perspective, wireless networks are an easy target; when compared with wired networks, they are easy to sniff and attack.
In this series, we will cover a wide variety of attacks that can be performed against a wireless network. we will start by discussing how to bypass the low-level security that a network administrator often implements, such as hiding SSID and enabling MAC filtering. After that, we will dive into the essence of this series, where I will demonstrate how easy it is to crack WEP/WPA/WPA2 pre-shared keys. Finally, we will talk about where I will demonstrate how to set up a fake access point and compromise anyone connecting to your fake access point.
Requirements
For this purpose, your Requirements will be
- A Wireless access point,
- And a Wireless adapter that supports packet injection.
These two things are all we require for replicating what’s being discussed in this series. The access point is required because we don’t want to attack the neighbor’s access point because it would be unethical, and as a penetration tester or an ethical hacker, you should make sure that you follow ethics.
The second and the most important requirement is a wireless adapter that supports packet injection and is also able to sniff in the monitor mode. Personally, I prefer the tp-link AC600 wireless adapter; it not only supports packet injection but also supports both 2.4 and 5 GHz frequencies at a cheap price. You can find out a few others I will list them in my blog.
.png)
Once you have a tp-link AC600 adapter that supports packet injection, then plug in the adapter to your computer, and since we are running Parrot Security OS from our virtual machine, we need to attach the network adapter to our Parrot security Operating system machine.
This can be done by going into the menu at the bottom of your PC → USB → Click on the Realtek 802.11ac WLAN adapter. It will automatically manage to detect our network adapter.
Next, we will execute the “iwconfig” command to confirm that our Parrot security machine has been able to detect our network adapter.
Our Parrot Security machine has managed to detect our wireless network adapter; however, as we can see, it is not associated with any access point.
We could use the network manager from the top of the window to check the available wireless networks.
.png)
Once we have connected to the appropriate access point and executed “iwconfig”, we will see that the interface contains information regarding ESSID, MAC address, etc.
Why I did not prefer to use the Kali Linux for wifi penetration testing?
The first problem I found was that while I plug in the wifi adapter to Kali Linux I found that I have to install the driver separately.
You can list the adapters by running lsusb command.
As you can see my adapter is listed here. You can install the adapter by running sudo apt-get install realtek-*.
This will download all preferred adapters for Realtek. Once you are done with this then reboot your system.
Now, execute the “iwconfig” command to confirm if our Kali Linux machine has been able to detect our network adapter or not. As I already told you this will not happen.
I thought there will be a problem with the Virtual Box Guest addition. So I install that. Firstly copy the disk to the desktop. Now change the directory to cdrom0 and list the files and directories and execute the program.
.png)
Notice the output, I have spotted a problem, the kernel header is not found for Kali Linux's latest version. So there may be a fault with Virtual Box. I have tried with dist upgrade but there will be no solution there.
So I switch to Parrot Security operating system.
Putting the wireless card in Monitor Mode
The next thing we want to do is switch our network card into monitor mode. A doubts come to my mind, why monitor mode in Wi-Fi penetration testing is so important? The result is, The Monitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to sniff all traffic received on a wireless channel.
However, to sniff on wireless networks, we need to make sure that our network card is in monitor mode. One of the advantages of the tp-link ac600 card is that it allows us to sniff in the monitor mode, so you need to make sure that your network card is allowed to sniff in the monitor mode for this work.
In Monitor mode, your card can listen to every packet that is around us.
By default, the mode of wireless devices is set to "Managed" which means our wireless device will only capture packets that have our device's MAC address as the destination MAC.
We can use the following command to change the network card to the monitor mode:
So now we can see that we have successfully enabled monitor mode on the wlx5ca6e6d99859 interface. We can use the "iwconfig" command to confirm all the interfaces that have monitor mode enabled.
There is an another tool which is used in terms of enabling monitor mode. The tool is mostly used tool is airmon-ng.
 |
Before using the airmon-ng tool, firstly we have to change the mode to manage. Once you did, we can use the airmon-ng start and paste the interface name command to change the network card to the monitor mode.
.png)
So now we can see that we have successfully enabled monitor mode on the wireless interface. We can use the iwconfig command to confirm all the interfaces that have monitor mode enabled.
Let’s check if the wireless adapter is capable of packet injection or not using the aireplay-ng --test <adapter name>.
.png)
On execution, it will check and you can see the result on my screen, which means it is capable of packet injection.
Monitoring Beacon Frames on Wireshark
Now that we have the monitor mode enabled, we will sniff on the network interfaces, which will bring us beacon frames containing the SSID that is being broadcasted. If the SSID is not broadcasted, it won’t show up.
Firstly start Wireshark, and select the appropriate interface.
.png)
We selected the appropriate interface to sniff on. Now, we are now able to see beacon frames from other access points, which we are not associated with.
.png)
Whenever the client authenticates against the access point with the hidden SSID, it will send an SSID parameter; therefore, we can easily figure out what the real SSID is.
Monitoring the traffic using Airodump-ng
The easy way around is to use airodump-ng to start monitoring the traffic; as soon as the client authenticates, the SSID will be revealed.
Airodump-ng is a packet capture utility that captures and saves raw data packets for further analysis.
To capture the packets use airodump-ng and specify the interface name.
Before executing let me start the hotspot of my smartphone. One of them is broadcasting a 2.4 GHz frequency band and another one is a 5GHZ frequency band.
On execution, it will start sniffing all of the information of access points around me. As you can see we have one access point listed, which is a 2.4GHz band access point. So it means
By default, the airodump-ng is set to the 2.4 GHz band. So we have to specify the band while on execution.
On execution, you will be sniffing all of the information of access points that are not listed previously, which means sniffing is set to the 5 GHz frequency band.
I hope you understood, how a wireless adapter is important for wireless penetration testing.
Post a Comment
If you have any doubts or any queries you can specify here.